CVE-2026-33405

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

CVE-2026-33405

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

CVE-2026-33405

Pi-hole Admin Interface: A stored HTML injection in the formatInfo() path of queries.js (v6.0–6.4) renders data.upstream, data.client.ip, and data.ede.text into HTML when expanding a Query Log row, with JavaScript execution blocked by CSP (script-src 'self'). The same fields are properly escaped ...

CVE-2026-33405 Pi-hole has a Stored HTML Injection in queries.js

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

CVE-2026-33405 Pi-hole has a Stored HTML Injection in queries.js

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

EUVD-2026-19283

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

PT-2026-30654

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

Exploit for CVE-2026-1337

CVE-2026-1337 - Neo4j - Log Injection Log injection by an au...

WordPress Relevanssi Premium plugin <= 2.25.0 - Missing Authorization to Unauthenticated Query Log Export vulnerability

Missing Authorization to Unauthenticated Query Log Export vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin Relevanssi Premium versions = 2.25.0...

EUVD-2020-23322

Malware in sbrugna...

CVE-2024-53257

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered usin...

CVE-2020-35659

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page...

Msticpy - Microsoft Threat Intelligence Security Tools

Microsoft Threat Intelligence Python Security Tools. msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: query log data from multiple sources enrich the data with Threat Intelligence, geolocations and Azure resource data extract Indicator...

Pi-hole Web Interface < 5.2.2 XSS Vulnerability

The Pi-hole Web Interface previously AdminLTE is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

CVE-2020-35659

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page...

Design/Logic Flaw

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page...

CVE-2020-35659

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page...

SA-CONTRIB-2009-062 - Devel - Cross Site Scripting

The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting XSS vulnerability. Such an attack ma...